Security

@antv npm Attack Hits CI/CD Secrets and Tokens

3 min read

Summary

Microsoft has disclosed an active supply chain attack involving compromised @antv npm packages that used malicious preinstall scripts to steal credentials from GitHub Actions and other CI/CD environments. The campaign matters because it spread through popular downstream dependencies, putting developer pipelines, cloud secrets, and software supply chains at risk.

Need help with Security?Talk to an Expert

Introduction

Microsoft has uncovered a significant npm supply chain attack affecting the @antv package ecosystem. Because these packages are widely used directly and transitively, the compromise can reach far beyond a single project and into CI/CD pipelines, cloud environments, and downstream software builds.

For IT and security teams, this is a reminder that package ecosystem compromises can quickly become credential theft and cloud access incidents.

What happened

A threat actor compromised an @antv maintainer account and published malicious package versions. The malicious code executed during npm install through a preinstall hook and targeted GitHub Actions runners on Linux.

Key technical findings

  • Malicious @antv packages propagated through dependency chains into widely used libraries such as echarts-for-react
  • The payload was heavily obfuscated and designed to evade analysis
  • It executed silently during package installation
  • It focused on CI/CD environments, especially GitHub Actions
  • It installed Bun if needed and launched a second-stage payload

Credentials and secrets targeted

Microsoft says the malware attempted to steal credentials from multiple platforms, including:

  • GitHub tokens and repository secrets
  • AWS credentials and Secrets Manager data
  • HashiCorp Vault tokens
  • npm tokens
  • Kubernetes service account secrets
  • 1Password CLI data

The payload also scraped GitHub Actions runner process memory to extract secrets directly, potentially bypassing normal secret masking protections.

Why this matters for administrators

This is more than a developer issue. If affected packages were installed in enterprise build systems, attackers may have gained access to:

  • Source code repositories
  • CI/CD secrets and pipelines
  • Cloud workloads and infrastructure
  • Package publishing credentials

Microsoft also notes the malware attempted privilege escalation, dual-channel exfiltration, and even SLSA provenance forgery, which undermines trust in software supply chain attestations.

What GitHub did

GitHub responded by:

  • Removing 640 malicious packages
  • Invalidating 61,274 npm granular access tokens with write permissions and 2FA bypass
  • Publishing advisories and issuing Dependabot and npm audit alerts

Administrators should act quickly:

  • Review dependency trees for direct or transitive use of affected @antv packages
  • Identify systems that installed or built these packages during the exposure window
  • Rotate GitHub, npm, AWS, Vault, Kubernetes, and other potentially exposed credentials
  • Audit GitHub Actions workflows, runner logs, and repository changes for suspicious activity
  • Check for unauthorized repos, commits, secrets access, or package publication events
  • Pin known-good package versions and strengthen dependency controls

Bottom line

The @antv compromise shows how a single npm maintainer account takeover can cascade into widespread CI/CD credential theft. Security and DevOps teams should treat any exposure as a potential pipeline and cloud credential incident, not just a package hygiene issue.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

npmsupply chain securityGitHub ActionsCI/CDcredential theft

Related Posts

Security

Microsoft CSP Security: New Partner Ecosystem Protections

Microsoft outlined how it is strengthening security across its Cloud Solution Provider ecosystem to reduce partner-led attacks on customer environments. The update focuses on tighter partner vetting, mandatory tenant security requirements, least-privilege access through GDAP, and stronger monitoring and response capabilities.

Security

Microsoft Frost Radar 2026: Cloud Runtime Security

Microsoft has been named a leader in Frost & Sullivan’s 2026 Frost Radar for Cloud/Application Runtime Security, highlighting its unified approach to cloud and application risk reduction. The recognition matters to security teams because it reflects a broader market shift toward prioritizing exploitable attack paths across code, cloud, runtime, identity, and SOC workflows.

Security

Quantum-Safe Security: Microsoft Targets 2029

Microsoft is accelerating its quantum-safe security roadmap and now aims to transition critical products and services to post-quantum cryptography by 2029. The update matters because IT teams need to start cryptographic inventory, crypto-agility planning, and TLS 1.3 modernization sooner as the risk timeline for quantum attacks moves closer.

Security

Securing AI Agents: MCP Tool Poisoning Risks

Microsoft Incident Response warns that as AI agents move from reading content to taking actions, poisoned Model Context Protocol (MCP) tool metadata can silently redirect agent behavior and expose sensitive data. The guidance outlines how to detect, contain, and prevent this emerging supply chain risk using controls across Copilot Studio, Entra, Purview, Defender, and Sentinel.

Security

Microsoft Security June 2026: Key Updates for IT

Microsoft’s June 2026 security updates introduce new protections for AI agents, stronger identity recovery in Entra, expanded multicloud coverage in Defender for Cloud, and more flexible reporting in Purview. These changes matter for IT and security teams because they improve visibility, speed remediation, and help protect identities, data, endpoints, and cloud workloads across hybrid environments.

Security

Malicious Chromium Extension Hijacks Search via AI Branding

Microsoft Threat Intelligence uncovered a malicious Chromium extension that spoofed Perplexity AI branding to intercept browser searches and search suggestions through attacker-controlled infrastructure. The finding matters because it shows how threat actors are using trusted AI brands and browser extension permissions to capture user input, redirect traffic, and increase privacy and security risk in enterprise environments.